In-depth security news and investigation

Posts Tagged: pay-per-install

Security experts in Poland on Thursday quietly seized domains used to control the Virut botnet, a huge army of hacked PCs that is custom-built to be rented out to cybercriminals.

Source: Symantec

NASK, the domain registrar that operates the “.pl” Polish top-level domain registry, said that on Thursday it began assuming control over 23 .pl domains that were being used to operate the Virut network. The company has redirected traffic from those domains to sinkhole.cert.pl, a domain controlled by CERT Polska — an incident response team run by NASK. The company says it will be working with Internet service providers and security firms to help alert and clean up affected users.

“Since 2006, Virut has been one of the most disturbing threats active on the Internet,” CERT Polska wrote. “The scale of the phenomenon was massive: in 2012 for Poland alone, over 890 thousand unique IP addresses were reported to be infected by Virut.”

Some of the domains identified in the takedown effort — including ircgalaxy.pl and zief.pl — have been used as controllers for nearly half a decade. During that time, Virut has emerged as one of the most common and pestilent threats. Security giant Symantec recently estimated Virut’s size at 300,000 machines; Russian security firm Kasperskysaid Virut was responsible for 5.5 percent of malware infections in the third quarter of 2012.

The action against Virut comes just days after Symantec warned that Virut had been used to redeploy Waledac, a spam botnet that was targeted in a high-profile botnet takedown by Microsoft in 2010.

SELF-PERPETUATING CRIME MACHINE

A file-infecting virus that has long been used to steal information from infected PCs, Virut is often transmitted via removable drives and file-sharing networks. But in recent years, it has become one of the most reliable engines behind massive malware deployment systems known as pay-per-install (PPI) networks. One such example was “exerevenue.com,” a popular PPI network that once shared Internet resources with the aforementioned .pl domains.

PPI networks attract entrepreneurial malware distributors, hackers who are given custom “installer” programs that bundle malware and adware. In return, the distributors are paid a set amount for each 1,000 times their installer programs are run on new PCs. Access to the PPI networks is sold to miscreants in the underground, particularly spammers who are looking to increase the size of their spam botnets. Those clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan—to the PPI service, which in turn charges varying rates per thousand successful installations, depending on the requested geographic location of the desired victims.

The Exerevenue.com PPI program died off in 2010, but cached copies of the site offer a fascinating glimpse into the Virut business model. The following snippet of text was taken from Exerevenue’s software end-user license agreement (EULA, and yes, this malware had a EULA). It aptly described how Virut worked: As a file-infecting virus that injected copies of itself into all .EXE and .HTML files found on victim PCs. According to the Exerevenue administrators, the program’s installer relied on a trademarked “QuickBundle™” technology that bundled adware with other programs.

“3) The software will especially target .EXE and .HTML files in the process of bundling. Other types of files may also be affected. HTML files are bundled with adware indirectly, through Internet links, and it relies upon certain features of Web browsers that are often considered undesired. Therefore, you agree you will not deliver your bundled files to anyone who can be offended by the QuickBundle technology described earlier. In order to prevent a file from being bundled with adware, you can change its name to begin with PSTO or WINC (in case of .EXE and .SCR files) or change its extension (in case of .HTM(heart), .ASP, and .PHP files), for example to .TXT. Apart from enriching your files with ad-supported content, your Windows HOSTS file will be modified to block certain domains used for adware loading automatization.”

New research suggests that the majority of personal computers infected with malicious software may have arrived at that state thanks to a bustling underground market that matches criminal gangs who pay for malware installs with enterprising hackers looking to sell access to compromised PCs.

The PPI services also attract entrepreneurial malware distributors, or “affiliates,” hackers who are tasked with figuring out how to install the malware on victims’ machines. Typical installation schemes involve uploading tainted programs to public file-sharing networks; hacking legitimate websites in order to automatically download the files onto visitors; and quietly running the programs on PCs they have already compromised. Affiliates are credited only for successful installations, via a unique and static affiliate code stitched into the installer programs and communicated back to the PPI service after each install.

In August 2010, researchers at the University of California, Berkeley, and the Madrid Institute for Advanced Studies in Software Development Technologies infiltrated four competing PPI services by surreptitiously hijacking multiple affiliate accounts. They built an automated system to regularly download the installers being pushed by the different PPI services.

The snippet above is the introduction to a story I wrote for MIT Tech Review. Read the whole piece at this link.

Ads for Monocash, a 3-year-old PPI program that distributes the Zlob malware